Data processing method

ABSTRACT

Key encryption key data KEK used for communication between a key management device  3  and receiving apparatuses  4   —   1  to  4 _N is acquired based on a tree divided into two horizontal layers A 0  and A 1 . In this case, the LSD method is employed as a revocation method of each section  31[0]  belonging to the horizontal layer A 0 . Further, the CST method is employed as the revocation method of each section  31[1]  belonging to the horizontal layer A 1.

TECHNICAL FIELD

The present invention relates to a data processing method for securecommunication, a program of the same, an apparatus of the same, and areceiving apparatus.

BACKGROUND ART

In secure communication, ordinarily a key management device and areceiving apparatus (terminal equipment) hold or generate the samesession key data, and the key management device encrypts the data basedon the session key data (hereinafter also referred to as “SEK data”) andtransmits it to the receiving apparatus.

In such secure communication, the secure communication is carried outbased on for example common session key data for a plurality ofreceiving apparatuses determined in advance.

In this case, when one or more of the plurality of receiving apparatusesloses its rights, the key management device must update the session keydata which had been used hitherto to revoke (invalidate) the rights ofthat receiving apparatus.

As methods of updating such session key data (key acquisition method),that is, revocation processing, for example, the LSD method disclosed in“D. Halevy and A. Shamir, “The LCD broadcast encryption scheme”, CRYPTO2002, Lecture Notes in Computer Science, vol. 2442. pp. 47-60, 2002” andthe CST method disclosed in “D. Naor, M. Naor, and J. Lotspiech,“Revocation and tracing schemes for stateless receivers”, CRYPTO 2001,Lecture Notes in Computer Science, vol. 2139, pp. 41-62, 2001” have beenknown.

In the key acquisition methods disclosed in these, the revocationprocessing is carried out based on a tree comprised of the keymanagement device allocated to the root and the plurality of receivingapparatuses allocated to the plurality of leaves.

In this case, the key management device makes the receiving apparatuseshold a plurality of key data defined based on the tree in advance andinstructs the receiving apparatuses not to be revoked which of theplurality of key data is used by the key management device forgenerating the key encryption key data used for the securecommunication.

Then, each receiving apparatus not to be revoked selects the instructedkey data from among the plurality of key data held in advance andgenerates the key encryption key data by the key acquisition methoddetermined in advance in a fixed manner by using the selected key data.

The key management device encrypts the new session key data by the keyencryption key data and transmits this to the receiving apparatuses notto be revoked.

Each receiving apparatus not to be revoked decodes the encrypted sessionkey data received from the key management device by using the generatedkey encryption key data to obtain new session key data.

Here, the amount of communication between the key management side andthe receiving apparatuses accompanied with the revocation processing issmaller in the LSD method than that in the CST method, but the number ofkey data (amount of data) held by the receiving apparatus is smaller inthe CST than that in the LSD method.

There is therefore a trade off between the amount of communicationbetween the key management side and the receiving apparatusesaccompanied with the revocation processing and the amount of the keydata held by each receiving apparatus.

Conventionally, the revocation processing has been carried out byapplying only one of the LSD method and CST method to the entire treeused for the key management.

With the conventional technique applying only one of the LSD method andthe CST method to the entire tree used for the key management, however,there is the problem that the trade off between the amount ofcommunication between the key management side and the receivingapparatuses accompanied with the revocation processing and the amount ofthe key data held by each receiving apparatus is not suitable.

Namely, there is the problem that when the LSD method is employed, theamount of the key data held by each receiving apparatus becomesenormous, while when the CST method is employed, the amount ofcommunication accompanied with the revocation processing becomesenormous, and it is difficult to construct a system which can berealized. Such a problem becomes more serious as the number of receivingapparatuses becomes larger.

DISCLOSURE OF THE INVENTION

The present invention was made in consideration with the abovebackground and has as an object thereof to provide a data processingmethod defining a suitable trade off between the amount of communicationbetween the key management side and the receiving apparatusesaccompanied with the revocation processing and the amount of data heldby the receiving apparatus, a program of same, an apparatus of same, anda receiving apparatus.

To attain the above object, the data processing method of the firstaspect of the invention is a data processing method performed by a keymanagement side based on a tree defining a first layer to which aplurality of leaves linked with a plurality of receiving apparatusesbelong and a second layer to which a root linked with the key managementside belongs, comprising a first step of specifying sets having aselements only receiving apparatuses not to be invalidated in the subtrees from among a plurality of sets defined in advance for sub treesincluding receiving apparatuses to be invalidated among sub treesbelonging to the first layer; a second step of specifying nodes nothaving any receiving apparatuses to be invalidated at branches of thenodes among nodes at terminal ends in the second layer; a third step ofspecifying the nodes not having any receiving apparatuses to beinvalidated at the leaves branched from the node and nearest the rootfrom among nodes located on the paths between the nodes specified at thesecond step and the root; and a fourth step of communicating withreceiving apparatuses not to be invalidated based on the second key dataallocated to the nodes specified at the third step.

The mode of operation of the data processing method of the first aspectof the invention is as follows.

First, the first step specifies sets having as elements only receivingapparatuses not to be invalidated in the sub trees from among aplurality of sets defined in advance for sub trees including receivingapparatuses to be invalidated among the sub trees belonging to the firstlayer.

Next, the second step specifies nodes not having any receivingapparatuses to be invalidated at the branches of the nodes from amongthe nodes at the terminal ends in the second layer.

Next, the third step specifies the nodes not having receivingapparatuses to be invalidated at the leaves branched from the nodes andnearest the root from among nodes located on the paths between the nodesspecified at the second step and the root.

Next, the fourth step communicates with the receiving apparatuses not tobe invalidated based on the first key data allocated to the setsspecified at the first step and the second key data allocated to thenodes specified at the third step.

The program of the second aspect of the invention is a program formaking a computer on the key management side execute key managementprocessing based on a tree defining a first layer to which a pluralityof leaves linked with a plurality of receiving apparatuses belong and asecond layer to which a root linked with the key management sidebelongs, comprising a first routine of specifying sets having aselements only receiving apparatuses not to be invalidated in the subtrees from among a plurality of sets defined in advance for sub treesincluding receiving apparatuses to be invalidated among sub treesbelonging to the first layer; a second routine of specifying nodes nothaving any receiving apparatuses to be invalidated at branches of thenodes among nodes at terminal ends in the second layer; a third routineof specifying the nodes not having any receiving apparatuses to beinvalidated at the leaves branched from the node and nearest the rootfrom among nodes located on the paths between the nodes specified at thesecond routine and the root; and a fourth routine of communicating withreceiving apparatuses not to be invalidated based on the second key dataallocated to the nodes specified at the third routine.

The data processing apparatus of the third aspect of the invention is adata processing apparatus for key management based on a tree defining afirst layer to which a plurality of leaves linked with a plurality ofreceiving apparatuses belong and a second layer to which a root linkedwith the key management side belongs, comprising a first means forspecifying sets having as elements only receiving apparatuses not to beinvalidated in the sub trees from among a plurality of sets defined inadvance for sub trees including receiving apparatuses to be invalidatedamong sub trees belonging to the first layer; a second means forspecifying nodes not having any receiving apparatuses to be invalidatedat branches of the nodes among nodes at terminal ends in the secondlayer; a third means for specifying the nodes not having any receivingapparatuses to be invalidated at the leaves branched from the node andnearest the root from among nodes located on the paths between the nodesspecified by the second means and the root; and a fourth means forcommunicating with receiving apparatuses not to be invalidated based onthe second key data allocated to the nodes specified by the third means.

First, the first means specifies sets having as elements only receivingapparatuses not to be invalidated in the sub trees from among aplurality of sets defined in advance for sub trees including receivingapparatuses to be invalidated among the sub trees belonging to the firstlayer.

Next, the second means specifies nodes not having any receivingapparatuses to be invalidated at the branches of the nodes from amongthe nodes at the terminal ends in the second layer.

Next, the third means specifies the nodes not having receivingapparatuses to be invalidated at the leaves branched from the nodes andnearest the root from among nodes located on the paths between the nodesspecified by the second means and the root.

Next, the fourth means communicates with the receiving apparatuses notto be invalidated based on the first key data allocated to the setsspecified at the first step and the second key data allocated to thenodes specified by the third means.

A receiving apparatus of a fourth aspect of the invention is a receivingapparatus for communicating with a key management side based on a treedefining a first layer to which a plurality of leaves linked with aplurality of receiving apparatuses belong and a second layer to which aroot linked with the key management side belongs, comprising a storingmeans for storing third key data for generating a plurality of first keydata allocated to a plurality of sets defined so that there are setshaving as elements only receiving apparatuses not to be invalidated inthe sub trees even in a case where any other receiving apparatuses insub trees to which the receiving apparatuses in the first layer belongare invalidated and plurality of second key data allocated to all of thenodes located on the paths between the nodes on the terminal endscorresponding to those receiving apparatuses in the second layer and theroot and a processing means for generating the first key data based onthe third key data read out from the storing means when the keydesignation data received from the key management side designates thethird key data, communicating with the key management side by using thefirst key data, and communicating with the key management side by usingthe second key data read from the storing means when the key designationdata designates the second key data.

A data processing method of a fifth aspect of the invention is a dataprocessing method performed by a key management side based on a treedefining a first layer to which a plurality of leaves linked with aplurality of receiving apparatuses belong and a second layer to which aroot linked with the key management side belongs, comprising a firststep of specifying sets having as elements only receiving apparatusesnot to be invalidated in the sub trees from among a plurality of setsdefined in advance for sub trees including receiving apparatuses to beinvalidated among sub trees belonging to the first layer; a second stepof specifying sets having as elements only nodes including onlyreceiving apparatuses not to be invalidated at the branches among nodeson the terminal ends in the sub trees from among a plurality of setsdefined in advance for the sub trees including receiving apparatuses tobe invalidated at the branches among the sub trees belonging to thethird layer; a third step of specifying the nodes not having anyreceiving apparatuses to be invalidated at the branches from the nodesand nearest the root from among nodes located on the paths between thenodes not having receiving apparatuses to be invalidated at the branchesof the nodes and the root among the nodes of the second layer; and afourth step of communicating with the receiving apparatuses not to beinvalidated based on the first key data allocated to the sets specifiedat the first step, the second key data allocated to the sets specifiedat the second step, and the third key data allocated to the nodesspecified at the third step.

The mode of operation of the data processing method of the fifth aspectof the invention is as follows.

First, the first step specifies sets having as elements only receivingapparatuses not to be invalidated in sub trees from among a plurality ofsets defined in advance for sub trees including receiving apparatuses tobe invalidated among sub trees belonging to a first layer.

Next, the second step specifies sets having as elements only nodesincluding only receiving apparatuses not to be invalidated at thebranches among nodes at the terminal ends in the sub trees from among aplurality of sets defined in advance for sub trees including receivingapparatuses to be invalidated at the branches among sub trees belongingto a third layer.

Next, the third step specifies nodes not having any receivingapparatuses to be invalidated at the branches from the nodes and nearestthe root from among the nodes located on the paths between the nodes nothaving any receiving apparatuses to be invalidated at the branches ofthe nodes and the root among the nodes of the second layer.

Next, the fourth step communicates with the receiving apparatuses not tobe invalidated based on the first key data allocated to the setsspecified at the first step, the second key data allocated to the setsspecified at the second step, and the third key data allocated to thenodes specified at the third step.

The program of the sixth aspect of the invention is a program for makinga computer on the key management side execute key management processingbased on a tree defining a first layer to which a plurality of leaveslinked with a plurality of receiving apparatuses belong, a second layerto which a root linked with the key management side belongs, and a thirdlayer interposed between the first layer and the second layer,comprising a first routine of specifying sets having as elements onlyreceiving apparatuses not to be invalidated in the sub trees from amonga plurality of sets defined in advance for sub trees including receivingapparatuses to be invalidated among sub trees belonging to the firstlayer; a second routine of specifying sets having as elements only nodesincluding only receiving apparatuses not to be invalidated at thebranches among nodes on the terminal ends in the sub trees from among aplurality of sets defined in advance for the sub trees includingreceiving apparatuses to be invalidated at the branches among the subtrees belonging to the third layer; a third routine of specifying thenodes not having any receiving apparatuses to be invalidated at thebranches from the nodes and nearest the root from among nodes located onthe paths between the nodes not having receiving apparatuses to beinvalidated at the branches of the nodes and the root among the nodes ofthe second layer; and a fourth routine of communicating with thereceiving apparatuses not to be invalidated based on the first key dataallocated to the sets specified at the first routine, the second keydata allocated to the sets specified at the second routine, and thethird key data allocated to the nodes specified at the third routine.

A data processing apparatus of the seventh aspect of the invention is adata processing apparatus for key management based on a tree defining afirst layer to which a plurality of leaves linked with a plurality ofreceiving apparatuses belong, a second layer to which a root linked withthe key management side belongs, and a third layer interposed betweenthe first layer and the second layer, comprising a first means forspecifying sets having as elements only receiving apparatuses not to beinvalidated in the sub trees from among a plurality of sets defined inadvance for sub trees including receiving apparatuses to be invalidatedamong sub trees belonging to the first layer; a second means forspecifying sets having as elements only nodes including only receivingapparatuses not to be invalidated at the branches among nodes on theterminal ends in the sub trees from among a plurality of sets defined inadvance for the sub trees including receiving apparatuses to beinvalidated at the branches among the sub trees belonging to the thirdlayer; a third means for specifying the nodes not having any receivingapparatuses to be invalidated at the branches from the nodes and nearestthe root from among nodes located on the paths between the nodes nothaving receiving apparatuses to be invalidated at the branches of thenodes and the root among the nodes of the second layer; and a fourthroutine of communicating with the receiving apparatuses not to beinvalidated based on the first key data allocated to the sets specifiedby the first means, the second key data allocated to the sets specifiedby the second means, and the third key data allocated to the nodesspecified by the third means.

The mode of operation of the data processing apparatus of the seventhaspect of the invention is as follows.

First, the first means specifies sets having as elements only receivingapparatuses not to be invalidated in sub trees from among a plurality ofsets defined in advance for sub trees including receiving apparatuses tobe invalidated among sub trees belonging to a first layer.

Next, the second means specifies sets having as elements only nodesincluding only receiving apparatuses not to be invalidated at thebranches among nodes at the terminal ends in the sub trees from among aplurality of sets defined in advance for sub trees including receivingapparatuses to be invalidated at the branches among sub trees belongingto a third layer.

Next, the third means specifies nodes not having any receivingapparatuses to be invalidated at the branches from the nodes and nearestthe root from among the nodes located on the paths between the nodes nothaving any receiving apparatuses to be invalidated at the branches ofthe nodes and the root among the nodes of the second layer.

Next, the fourth means communicates with the receiving apparatuses notto be invalidated based on the first key data allocated to the setsspecified by the first means, the second key data allocated to the setsspecified by the second means, and the third key data allocated to thenodes specified by the third means.

A receiving apparatus of an eighth aspect of the invention is areceiving apparatus for communicating with a key management side basedon a tree defining a first layer to which a plurality of leaves linkedwith a plurality of receiving apparatuses belong, a second layer towhich a root linked with the key management side belongs, and a thirdlayer interposed between the first layer and the second layer,comprising a storing means for storing second key data for generating aplurality of first key data allocated to a plurality of sets defined sothat there are sets comprised of only receiving apparatuses not to beinvalidated in the sub trees even in a case where any other receivingapparatuses in sub trees to which receiving apparatuses in the firstlayer belong are invalidated, fourth key data for generating a pluralityof third key data allocated to a plurality of sets defined so that thereare sets having as elements only nodes at the terminal ends not havingreceiving apparatuses to be invalidated at the branches thereof even ina case where other receiving apparatuses at the branches of any nodesamong nodes at the terminal ends of the third layer are invalidated, anda plurality of fifth key data allocated to all of the nodes located onthe paths between the nodes at the terminal ends corresponding to thereceiving apparatuses at the second layer and the root and a processingmeans for generating the first key data based on the second key dataread from the storing means when the key designation data received fromthe key management side designates the second key data, generating thethird key data based on the fourth key data read from the storing meanswhen the key designation data designates the fourth key data,communicating with the key management side by using the third key data,and communicating with the key management side by using the fifth keydata read from the storing means when the key designation datadesignates the fifth key data.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 is a view of the overall configuration of a communication systemaccording to a first embodiment of the present invention.

FIG. 2 is a view of the hardware configuration of a key managementdevice shown in FIG. 1.

FIG. 3 is a view for explaining a tree structure serving as the basis ofa key acquisition method employed in the first embodiment of the presentinvention.

FIG. 4 is a flow chart for explaining processing of the key acquisitionmethod employed in the first embodiment of the present invention.

FIG. 5 is a view for explaining a key acquisition method SKT-A employedin the first embodiment of the present invention.

FIG. 6 is a view for explaining a CST method.

FIG. 7 is a view for explaining the CST method.

FIG. 8 is a view for explaining the CST method.

FIG. 9 is a view for explaining an SD method.

FIGS. 10A and 10B are views for explaining the SD method.

FIG. 11 is a view for explaining the SD method.

FIG. 12 is a view for explaining the SD method.

FIG. 13 is a view for explaining an LSD method.

FIG. 14 is a view for explaining the LSD method.

FIG. 15 is a flow chart for explaining pre-processing performed by thekey management device shown in FIG. 1.

FIG. 16 is a flow chart for explaining revocation processing performedby the key management device shown in FIG. 1.

FIG. 17 is a view for explaining capsule data CAP transmitted to areceiving apparatus not to be revoked by the key management device shownin FIG. 1.

FIG. 18 is a flow chart for explaining step ST23 shown in FIG. 16.

FIG. 19 is a view of the hardware configuration of the receivingapparatuses shown in FIG. 1.

FIG. 20 is a flow chart for explaining an example of the operation ofthe receiving apparatus shown in FIG. 1.

FIG. 21 is a flow chart for explaining step ST44 shown in FIG. 20.

FIG. 22 is a view for explaining a key acquisition method SKT-Baccording to a second embodiment of the present invention.

FIG. 23 is a flow chart for explaining the pre-processing performed bythe key management device of the second embodiment of the presentinvention.

FIG. 24 is a flow chart for explaining the processing of step ST23 ofFIG. 16 performed by the key management device of the second embodimentof the present invention.

BEST MODE FOR WORKING THE INVENTION

Below, an explanation will be given of a communication system accordingto embodiments of the present invention.

FIRST EMBODIMENT

The first embodiment is an embodiment of the first to fourth aspects ofthe invention.

FIG. 1 is a view of the overall configuration of a communication system1 according to the first embodiment of the present invention.

As shown in FIG. 1, the communication system 1 has for example a keymanagement device 3 and a plurality of (N) receiving apparatuses 4_1 to4_N.

Here, the key management device 3 corresponds to the key management sideof the present invention and the data processing apparatus of the thirdaspect of the invention, and the receiving apparatuses 4_1 to 4_Ncorrespond to the receiving apparatuses of the present invention.

The key management device 3 and the receiving apparatuses 4_1 to 4_N forexample transfer data (communicate) by the wireless method.

The receiving apparatuses 4_1 to 4_N are registered in the keymanagement device 3 in advance and hold key data K_ORG and label dataLABEL used for secret communication (secure communication) with the keymanagement device 3.

Below, a brief explanation will be given of the communication system 1.

The communication system 1 performs the key management based on ahorizontal layer AO (the first layer of the present invention) to whicha plurality of leaves allocated with the receiving apparatuses 4_1 to4_N belong and a horizontal layer A1 (the second layer of the presentinvention) to which a root allocated with the key management device 3belongs.

A plurality of sub trees are defined in the tree.

The key management device 3 specifies sets having as elements onlyreceiving apparatuses not to be revoked in the sub trees from among aplurality of sets defined in advance for sub trees including receivingapparatuses to be revoked (invalidated) among sub trees belonging to thehorizontal layer AO.

Then, the key management device 3 acquires key encryption key data KEKused for communication with the receiving apparatuses of the elements ofthe specified sets based on the label LABEL allocated to the specifiedsets.

Further, the key management device 3 specifies nodes not having anyreceiving apparatuses to be revoked at the branches of the nodes fromamong nodes at the terminal ends in the horizontal layer A1.

Then, the key management device 3 specifies nodes not having anyreceiving apparatuses to be revoked at the leaves branched from thenodes and nearest the root from among nodes located on the paths betweenthe specified nodes and the root.

Then, the key management device 3 uses the key data allocated to thespecified nodes as the key encryption key data KEK used forcommunication with the receiving apparatuses not to be revoked linkedwith the leaves branched from the specified nodes.

The key management device 3 transmits the key designation data forgenerating the key encryption key data KEK to the receiving apparatuses4_1 to 4_N not to be revoked.

Then, the receiving apparatuses 4_1 to 4_N not to be revoked acquire thekey encryption key data KEK based on the key designation data.

The key management device 3 encrypts new session key data NEW_SEK basedon the key encryption key data KEK and transmits the same to thereceiving apparatuses 4_1 to 4_N.

The receiving apparatuses 4_1 to 4_N not to be revoked decode thesession key data NEW_SEK based on the acquired key encryption key dataKEK.

Subsequently, secure communication between the key management device 3and the receiving apparatuses 4_1 to 4_N not to be revoked is carriedout based on the session key data NEW_SEK.

Below, an explanation will be given of the key management device 3 andthe receiving apparatuses 4_1 to 4_N shown in FIG. 1.

[Key Management Device 3]

FIG. 2 is a view of the hardware configuration of the key managementdevice 3 shown in FIG. 1.

As shown in FIG. 2, the key management device 3 has for example acommunication unit 11, a memory 12, and a processing unit 13.

The communication unit 11 transmits the data generated by the processingunit 13 by the wireless method. The transmission is for SDR securedownload by software defined radio (SDR) by a broadcast or other pushmethod.

The memory 12 stores a program PRG1 executed by the processing unit 13and various data used for the execution of the program PRG1.

Here, the program PRG1 corresponds to the program of the second aspectof the invention.

For example, the memory 12 stores for example all key data K_ORG andlabel data LABEL held by the receiving apparatuses 4_1 to 4_N.

Further, the memory 12 may store the key encryption key data KEK finallyacquired by them without storing part or all of the key data K_ORG andlabel data LABEL as well.

The processing unit 13 executes the program PRG1 stored in the memory 12and centrally controls the processing of the key management device 3 inaccordance with the execution thereof. In the present embodiment, theprocessing of the key management device 3 is defined according to theprogram PRG1 executed by the processing unit 13.

The processing unit 13 performs the pre-processing such as distributionof the key data K_ORG and the label data LABEL to the receivingapparatuses 4_1 to 4_N and secure processing such as revocationprocessing such as update processing of the session key data inaccordance with the execution of the program PRG1.

The processing unit 13 performs the pre-processing at the time of forexample the registration of the receiving apparatuses 4_1 to 4_Npreceding the revocation processing.

The processing unit 13 sets the key acquisition method (underlyingstructure) employed when performing the revocation processing and thekey data K_ORG and the label data LABEL used in the key acquisitionmethod in the receiving apparatuses 4_1 to 4_N in the pre-processing.

The processing unit 13 performs the revocation processing when any ofthe receiving apparatuses 4_1 to 4_N is to be revoked (invalidated).

The processing unit 13, in the revocation processing, selects the keyencryption key data KEK for transmitting the session key data SEK to thereceiving apparatuses 4_1 to 4_N not to be revoked in accordance withwhich of the receiving apparatuses 4_1 to 4_N is to be revoked in therevocation processing.

Then, the processing unit 13 transmits the key designation data for thereceiving apparatuses 4_1 to 4_N not to be revoked to generate the keyencryption key data KEK to the receiving apparatuses 4_1 to 4_N not tobe revoked.

As the key acquisition method, in the present embodiment, as shownbelow, use is made of the SKT (sectioned key trees) individuallydefining the revocation method, defined based on the LSD methoddisclosed in Non-patent document 1, the CST method disclosed inNon-patent document 2, or another revocation method, for each sectionformed by a sub tree forming a tree comprised of a plurality ofbisecting trees combined symmetrically left and right.

The information concerning the key acquisition method SKT employed bythe processing unit 13 and the key data K_ORG and the label data LABELused in the key acquisition method are provided to the receivingapparatuses 4_1 to 4_N by the pre-processing.

In the tree, a plurality of horizontal layers are defined, and eachhorizontal layer is divided into a plurality of sections.

Further, each section has a sub tree in which the root (node) thereofforms a leaf (node) of the higher horizontal layer.

Further, for example, sections belonging to the same horizontal layerhave the same number of nodes. Namely, sections belonging to the samelayer have the same sub trees.

As a general example, when a tree is divided into K number of horizontallayers, and the height of each horizontal layer l (l is an integer offrom 0 to L−1) is H[l], the tree has 2H[l−1] number of leaves. Further,the horizontal layer l has the number of sections indicated by thefollowing formula (1), and a sub tree thereof has 2H[l−1 number ofleaves. $\begin{matrix}{{\prod\limits_{i = {\ell + 1}}^{L - 1}\quad 2^{H_{t}}} = 2^{\sum\limits_{i = {\ell + 1}}^{L - 1}\quad{Hi}}} & (1)\end{matrix}$

The structure of a tree 20 in a case where K=3, H[0]=2, H[1]=1, andH[3]=2 is shown in FIG. 3.

Below, an explanation will be given of the key acquisition method of thepresent embodiment defined based on the tree.

FIG. 4 is a flow chart for explaining the key acquisition method of thepresent embodiment.

Below, an explanation will be given of the steps shown in FIG. 4.

Step ST1:

The processing unit 13 specifies, for all sections belonging to thehorizontal layer 0 (the lowermost layer) of the tree, any receivingapparatuses to be revoked among the receiving apparatuses 4_1 to 4_Nallocated to leaves of the sub trees in which the sections are included.

Further, the processing unit 13 assigns an initial value “0” for l.

Step ST2:

The processing unit 13 performs the processing for revoking, for each ofthe sections belonging to the horizontal layer 0 of the tree, anyreceiving apparatuses specified at step ST1 by the revocation methodemployed for the sub tree where that section is included.

Namely, the processing unit 13 performs the revocation processing basedon the employed revocation (RV) method and generates the data used fordetermining the key encryption key data KEK used for the communicationwith the receiving apparatuses not to be revoked among the receivingapparatuses 4_1 to 4_N belonging to the sub trees, for example, the dataindicating the locations etc. of leaves to be revoked.

Step ST3:

The processing unit 13 increments l. Namely, it computes l=l+1.

Step ST4:

The processing unit 13 specifies, for each of all sections belonging tothe horizontal layer k of the tree, any leaves having receivingapparatuses to be revoked in the lower layer thereof, that is, anyleaves influenced by revocation among leaves (nodes and root of thehorizontal layer l−1) of the sub tree where that section is included.

Step ST5:

The processing unit 13 performs the processing for revoking, for each ofall sections belonging to the horizontal layer 1 of the tree, any leavesspecified at step ST41 by the revocation method employed for the subtree where that section is included.

Namely, the processing unit 13 performs the revocation processing basedon the employed revocation (RV) method and generates the data used fordetermining the key encryption key data KEK used for communication withthe receiving apparatuses existing in the lower layer of the leaves notinfluenced by the revocation among the leaves belonging to that subtree, for example, the data indicating the locations of any nodes to berevoked.

Step ST6:

The processing unit 13 decides whether or not k=K. When deciding thatl=L, it ends the processing, while when not deciding so, it returns tothe processing of step ST3.

Step ST7:

The processing unit 13 generates the key encryption key data KEKm usedfor the communication with the receiving apparatuses 4_1 to 4_N not tobe revoked based on the result of the RV processing performed for allsections belonging to all horizontal layers by steps ST1 to ST6. Here, mis an integer of 1 to M, and M indicates the number of key encryptionkey data KEK used for communication with all receiving apparatuses notto be revoked.

In this case, there is a case where a plurality of not revoked receivingapparatuses use a common key encryption key data KEKm in accordance withthe locations of the receiving apparatuses to be revoked on the tree.

Next, an explanation will be given of the key acquisition method SKT-Aas the key acquisition method SKT employed in the present embodiment.

The key acquisition method SKT-A is characterized in that the amount ofthe label data LABEL and the key data K_ORG stored by the receivingapparatuses 4_1 to 4_N is smaller than that in the LSD method disclosedin the Non-patent Document 1, and the amount of communication betweenthe key management device 3 and the receiving apparatuses 4_1 to 4_Naccompanied with the revocation processing is smaller than that in theCST method disclosed in the Non-patent Document 2.

First, an explanation will be given of the key acquisition method SKT-A.

FIG. 5 is a view for explaining the key acquisition method SKT-A.

As shown in FIG. 5, in the key acquisition method SKT-A, the tree isdivided to two horizontal layers A0 and A1.

The height of the lowermost horizontal layer A0 is defined as HA[0], andthe height of the horizontal layer A1 is defined as (log2N-HA[0]). Here,N indicates the total number of receiving apparatuses 4_1 to 4_N.

As the revocation method of the sections 31[0] belonging to thehorizontal layer A0, the LSD method disclosed in the Non-patent Document1 is employed.

Further, as the revocation method of the sections 31[1] belonging to thehorizontal layer A1, the CST method disclosed in the Non-patent Document2 is employed.

Here, in the key acquisition method SKT-A, assume that the revocation ofR number of the receiving apparatuses 4_1 to 4_N influences the ROAnumber of sections configuring the tree.

In this case, the dimension of the amount of communication between thekey management device 3 and the receiving apparatuses 4_1 to 4_N not tobe revoked accompanied with the revocation becomes O(COA) shown in thefollowing formula (2) in the case of the key acquisition method SKT-A.

(Formula 2)O(COA)=(R+ROA((log2N)−HA[0])−ROAlog2ROA)  (2)

Below, an explanation will be given of the CST method.

FIG. 6 to FIG. 8 are views for explaining the CST method.

In the following explanation, as shown in FIG. 6, a case where therevocation method is carried out for 16 receiving apparatuses u1 to u16by the CST method will be exemplified.

In the CST method, a “set comprised of receiving apparatuses allocatedto leaves of bisecting trees having the nodes thereof as vertexes” isdefined by using nodes of the bisecting trees.

In the example shown in FIG. 6, the node i indicates a set having aselements the receiving apparatuses u5 and u6. A node key (correspondingto the key data K_ORG in the SKT-A) is defined for each node.

Each receiving apparatus is given the node keys allocated to the nodeson the path from the leaf to which the receiving apparatus is allocatedto the root of the tree to which the key management device is allocated.The receiving apparatus holds these node keys in a safe memory.

As shown in FIG. 7, the receiving apparatus u4 is given five node keysallocated to nodes 1, 2, 4, 9, and 19.

Namely, when the number of all receiving apparatuses is N, eachreceiving apparatus holds logN+1 number of node keys.

FIG. 8 is a view for explaining how secret information (for examplecontent keys for decoding the encrypted content) is transmitted to thereceiving apparatuses not to be revoked.

Here, the receiving apparatuses u2, u11, and u12 are made the receivingapparatuses to be revoked.

In this case, the node keys allocated to the nodes on the paths from theleaves to which the receiving apparatuses u2, u11, and u12 to be revokedto the root of the tree are allocated cannot be used. This is because ifthese node keys are used, the receiving apparatuses to be revoked canobtain the secret information.

Then, when excluding these nodes and paths from the tree, one or moresub trees (partial trees) remain.

The efficient and safe transmission of the secret information is carriedout by encrypting the secret information by using the node keysallocated to the nodes nearest the vertexes of the sub trees (nodes 5,7, 9, 12, 16 in FIG. 8) and transmitting the same.

The receiving apparatus decrypts what it can decrypt itself in thetransmitted encrypted text, that is, what was encrypted using the nodekey corresponding to the node on the path from the leaf to which ititself is allocated to the root, to obtain the secret information.

In the above example, for example the receiving apparatus u4 holds thenode key of the node 9, so decodes the encrypted text by using this.

In the CST method, there is always one encrypted text which can bedecrypted by a receiving apparatus not to be revoked.

Next, an explanation will be given of the SD (subset Difference) methodas the prerequisite of the LSD method.

FIG. 9 to FIG. 12 are views for explaining the SD method.

As mentioned above, in the CST method, a “set comprised of receivingapparatuses allocated to leaves of sub trees having a node thereof as avertex” is expressed by using a node of the tree.

Contrary to this, in the SD method, a “set obtained by subtracting (aset comprised of leaves of sub trees having the node j as a vertex) from(a set comprised of leaves of sub trees having the node i as a vertex)”is defined by using two nodes i,j (note, i is the node of thepredecessor of j) of the tree.

For example, a set S (i,j) defined by the nodes i,j shown in FIG. 9 isthe set obtained by excluding the receiving apparatuses u5 and u6 fromthe set of the receiving apparatuses u1 to u8, that is S(i,j)={u1, u2,u3, u4, u5, u6, u7, u8, u9}-{u5, u6}.

Such a set is defined for all sets of nodes in which the node i is theprecedessor of the node j (that is, the node j is not the same as thenode i, and the node i exists on the path from the node j to the root).

Further, the label data LABEL is allocated to each set. Further, apredetermined operation (for example, generation of pseudo randomnumbers using the label data LABEL as the key) is carried out based onthe label data LABEL to obtain the subset key.

The subset key is used as the key encryption key data KEK in thecommunication between the receiving apparatuses of the elements of theset and the key management device.

In the SD method, the number of the sets to which one receivingapparatus belongs becomes O(N), therefore if the key data SK (subsetkey) is independently allocated to each set (subset), each receivingapparatus must safely hold the label data LABEL corresponding to O(N)subset keys, but it is actually difficult if N is large.

For this reason, by the following skill, in the SD method, the number ofthe label data LABEL held by each receiving apparatus is reduced.

For example, as shown in FIG. 10A, by paying attention to an internalnode (that is, a node which is not a leaf) i, the value S of C bits isselected at random as the label data LABEL (i) of that node.

Next, as shown in FIG. 11, the value S of the LABEL (i) is input to thepseudo random number generator G having C bits of input and 3C bits ofoutput.

Then, the output of 3C bits from the pseudo random number generator G isdivided into sections each consisting of C bits from the left (from thehigher bit side) and defined as GL(S), GM(S), and GR(S).

Then, GL(S) is defined as the label data LABEL of the sub node on leftside (one) of the node i, and GR(S) is defined as the label data LABELof the sub node on right side (the other) of the node i.

Due to this processing, for the child node k at the left side of thenode i in FIGS. 10A and 10B, the label data LABEL (i,k) of the node khaving the node i as the start point becomes LABEL(i,k)=GL(S). Then,this is defined as T.

Next, T is input to the pseudo random number generator G, and the outputthereof is divided into sections each consisting of C bits from the leftto obtain GL(T), GM(T), and GR(T).

Then, GL(T), GM(T), and GR(T) are defined as a label data LABEL (i,kL)of the sub node L on the left side of the node k when the node i is usedas the start point, a label data LABEL (i,k) of the node k when the nodei is used as the start point, and a label data LABEL (i,kR) of the subnode kR on right side of the node k when the node i is used as the startpoint.

By repeating this processing, a label corresponding to all nodes whichbecome a descendant of the node i when the node i is used as the startpoint is created.

Note that according to the above definition, the set S(i,i) is an emptyset, and when the node i is used as the start point, the key of the nodei is unnecessary, so the GM(S) of the center portion where the LABEL(i)is input to the pseudo random number generator G is not used.

AS shown in FIG. 10A, the value S of the label data LABEL (i) of thenode i of the start point is determined, the GR(S) becomes the labeldata LABEL of the sub node at the right of the node i when the node i isused as the start point, and further the GL(S) obtained by inputtingthat to the pseudo random number generator G becomes the label dataLABEL of the node j when the node i is used as the start point Thisprocessing is all carried out with respect to all internal nodes i.

These processings are carried out by the key management device at thetime of the set up of the system, but the pseudo random number generator(or pseudo random number generation function) G is determined by the keymanagement device and publicly disclosed. By using this, the receivingapparatus given the LABEL (i,j) can compute labels LABEL (i,n) of allnodes n which become the descendants of the node j when the node i isused as the start point and can compute the node j and the subset keysSK(i,n) of the sub nodes n thereof where the node i is used as the startpoint.

If doing this, as shown in FIG. 10B, a certain receiving apparatus ubecomes able to create a subset key having the node i as a start pointof that node and the nodes following that (which become the descendantof that) if only the label data LABEL of the node directly branched fromthe path from the leaf to i using the node i as the start point is heldfor each internal node i on the path from the leaf to which thereceiving apparatus u is allocated to the vertex of the tree. In FIG.10B, when paying attention to the node i, the number of nodes directlybranched from the path from u to i is three, and the receiving apparatusu receives these three label data LABEL from the key management deviceat the time of the set up of the system.

Below, the receiving apparatus u4 will be considered in the exampleshown in FIG. 12.

For the receiving apparatus u4, internal nodes 1, 2, 4, and 9 on thepath from the node 19 of the leaf to which the receiving apparatus u4 isallocated to the root 1 become the start points (node i). When using thenode 1 as the start point, the nodes directly branched from the pathfrom the node 19 to the node 1 are the four nodes of 3, 5, 8, and 18, sothe receiving apparatus u4 holds LABELs (1,3), (1,5), (1,8), and (1,18).

In the same way as above, it holds the three label data LABEL of LABELs(2,5), (2,8), and (2,18) when the node 2 is used as the start point,holds the two label data LABEL of LABELs (4, 8) and (4,18) when the node4 is used as the start point, and holds the LABEL (9,18) when the node 9is used as the start point.

Further, it holds one label data LABEL (1) corresponding to the setincluding all receiving apparatuses (this will be expressed as S1,φ)used in a special case where there is no receiving apparatus to berevoked.

Note that while made the label data LABEL corresponding to S(1),φ, it isalso possible not to use the label data LABEL, but to directly hold thesubset key corresponding to S1,φ.

As described above, each receiving apparatus must hold the label dataLABEL of exactly the amount of the height of the internal nodes thereoffor internal nodes on the path from the leaf to the root.

These label data LABEL enable the creation of the subset key by usingthe publicly disclosed G, so the receiving apparatus holds them safely.

Below, an explanation will be given of the LSD (Basic Layered SubsetDifference) method using the above SD method as the basis.

The LSD method includes a basic method and a general method as anextension thereof. Here, an explanation will be given of the basicmethod.

The LSD method is an extension of the SD method and introduces the newconcept of a “layer”. A specific height in the tree structure in the SDmethod is defined as a “special level”.

In the basic_LSD method, there is only one type of special level, butthe general_LSD method uses a plurality of special levels havingdifferent importances.

Here, for simplification, assume that log½N is an integer.

In the basic_LSD method, as shown in FIG. 13, among the levels (steps)from the root of the tree to the leaves, the levels for each log½Nincluding levels of the root and leaves are defined as “special layers”.

Any stratum sandwiched between two adjoining special layers (includingboth special levels) will be referred to as a “layer”.

In the example of FIG. 13, the level of the root, the level includingthe node k, and the level of the leaves are special levels, and thelevel of the root, the level including the node i, and the levelincluding the node k configure single layers. Further, the levelincluding the node k, the level including the node j, and the levelincluding the leaves configure other layers.

In the basic_LSD method, among the subsets S(i,j) defined in the SDmethod, only the subset in which the node i and the node j are in thesame layer or the node i is at the special level are defined.

If doing this, some of the subsets used in the SD method are no longerdefined in the basic_LSD method, but these subsets can be expressed bytwo sum sets at most among subsets defined by the basic_LSD method.

For example, in the example of FIG. 13, the subset S(i,j) is not definedin the basic_LSD method, but can be expressed as S(i,j)=S(i,k)∪S(k,j) byusing the node (node k) on the special level nearest the node i on thepath from the node i to the node j.

That is, in the SD method, in place of one encrypted text encrypted byusing the subset key Sk(i,j) corresponding to the subset S(i,j), in thebasic_LSD method, two encrypted texts encrypted by using subset keysSk(i,k) and SK(k,j) corresponding to the subsets S(i,k) and S(k,j) aretransmitted.

Due to this, the number of encrypted texts to be transmitted isincreased by two times from the SD method at most, but the number oflabels held by each receiver can be reduced.

In FIG. 14, a case where the basic_LSD method is applied to the samecase as that assumed in the SD method of FIG. 12 will be explained.

The receiving apparatus u4 shown in FIG. 14 may hold only the label dataLABEL (i,j) in which i, j exist in the same LAYER or i exists at thespecial level.

Namely, the label data LABEL held by the receiving apparatus u4 becomesthe label data LABEL (1,3), (1,5), (1,8), (1,18), (2,5), (4,8), (4,18),and (9,18).

Further, in the same way as the SD method, it is necessary to also holdthe special label used where there is no receiver to be revoked.

Below, an explanation will be given of an example of operation of thekey management device 3 shown in FIG. 2.

The operation of the key management device 3 is realized by theprocessing of the processing unit 13 based on the program PRG1 asmentioned above.

EXAMPLE OF OPERATION OF PRE-PROCESSING

FIG. 15 is a flow chart for explaining an example of operation of thecase where the key management device 3 performs the pre-processing.

As explained above, the processing unit 13 of the key management device3 performs the following pre-processing for example at the time of theregistration of the receiving apparatuses 4_1 to 4_N preceding therevocation processing.

Step ST11:

The key management device 3 sets up the key acquisition method SKT-A andthe key data K_ORG and the label data LABEL used in the key acquisitionmethod SKT-A in the receiving apparatuses 4_1 to 4_N.

Specifically, for each of the receiving apparatuses 4_to 4_N, the keymanagement device 3 sets up the label data LABEL for acquiring aplurality of label data LABEL allocated to a plurality of sets definedso that there are sets having as elements only receiving apparatuses notto be invalidated in the sub trees even if any other receiving apparatusin the sub trees to which the receiving apparatuses in the horizontallayer A0 shown in FIG. 5 belong are invalidated.

Further, for each of the receiving apparatuses 4_1 to 4_N, the keymanagement device 3 sets up a plurality of key data K_ORG allocated toall nodes located on the path between the node on the terminal endcorresponding to the receiving apparatus in the horizontal layer A1shown in FIG. 5 and the root.

The key management device 3 performs the above set up individually in asecure state for the receiving apparatuses 4_1 to 4_N at the time of forexample the issuance or registration of the receiving apparatuses 4_1 to4_N.

EXAMPLE OF OPERATION OF REVOCATION PROCESSING

FIG. 16 is a flow chart for explaining an example of the operation ofthe case where the key management device 3 performs the revocationprocessing mentioned above.

The processing unit 13 of the key management device 3 performs therevocation processing when any of the receiving apparatuses 4_1 to 4_Nis to be revoked.

Step ST21:

The key management device 3 generates a revocation list RL indicatingany receiving apparatuses to be revoked among the receiving apparatuses4_1 to 4_N.

Step ST22:

The key management device 3 specifies the key encryption key data KEKmused for communication with the receiving apparatuses 4_1 to 4_N not tobe revoked based on the revocation list RL generated at step ST21according to the key acquisition method SKT_A.

A detailed explanation will be given of the processing later.

Step ST23:

The key management device 3 generates the key designation data Imdesignating the key data K_ORG and the label data LABEL necessary forgenerating the key encryption key data KEKm specified at step ST22.

Note that the designation of the key data K_ORG and the label data LABELin the key designation data Im is carried out based on identificationdata such as an index allocated to the key data K_ORG and label dataLABEL and does not include the key data K_ORG and the label data LABELper se.

Step ST24:

The key management device 3 encrypts the new session key data NEW_SEK(after update) by the key encryption key data KEKm generated at stepST23 to generate the data EKEKm (NEW_SEK).

Step ST25:

The key management device 3 encrypts the payload data PAYL as the secretinformation provided to the receiving apparatuses 4_1 to 4_N by usingthe new session key data NEW_SEK to generate the data ENEW SEK (PAYL).

Step ST26:

The key management device 3 generates the capsule data CAP shown in FIG.17 as the data storing the key designation data Im (I1 to IM) generatedat step ST25, the data EKEKm (NEW_SEK) generated at step ST24, andENEW_SEK (PAYL) generated at step ST25.

Step ST27:

The key management device 3 broadcasts (transmits) the capsule data CAPgenerated at step ST26 via the communication unit 11 shown in FIG. 2 byfor example the wireless method.

The broadcast is so-called PUSH distribution.

Below, a detailed explanation will be given of step ST23 shown in FIG.16.

FIG. 18 is a view for explaining step ST23 shown in FIG. 16, that is,the method of specifying the key encryption key data KEK based on thekey acquisition method SKT_A.

In FIG. 18, step ST31 corresponds to the first step of the first aspectof the invention, step ST32 corresponds to the second step of the firstaspect of the invention, step ST33 corresponds to the third step of thefirst aspect of the invention, and steps ST34 and ST35 correspond to thefourth step of the first aspect of the invention.

Further, the first means, the second means, and the third means of thethird invention are realized by the processing unit 13 executing stepsST31, ST32, and ST33. Further, the fourth means of the third inventionis realized by the processing unit 13 executing steps ST34 and ST35.

Step ST31:

The key management device 3 specifies sets having as elements onlyreceiving apparatuses not to be invalidated in the sub trees from amonga plurality of sets, defined in advance, having as elements receivingapparatuses belonging to the sub trees, for all sub trees includingreceiving apparatuses to be revoked among the sub trees (SUBT) belongingto the horizontal layer A0 shown in FIG. 5.

Step ST32:

The key management device 3 specifies nodes not having any receivingapparatuses to be invalidated at the branches of the nodes among thenodes at the terminal ends in the horizontal layer A1 shown in FIG. 5.

Step ST33:

The key management device 3 specifies nodes not having any receivingapparatuses to be invalidated at the leaves branched from the nodes andnearest the root among the nodes located on the paths between the nodesand the root for all nodes specified at step ST32.

Step ST34:

The key management device 3 decides to use the key encryption key dataKEKm linked with the sets (or the label data LABEL thereof) specified atstep ST31 for communication with the receiving apparatuses 4_1 to 4_N ofelements of the sets.

The key management device 3 holds for example the above sets of allsubsets in the horizontal layer A0 shown in FIG. 5 and the keyencryption key data KEKm linked together and specifies the keyencryption key data KEK corresponding to the sets specified at stepST31.

Further, it is also possible for the key management device 3 to hold forexample the label data LABEL (i,j) in which the node i and the node jexist in the same LAYER or the node i is at the special level amongsubsets S(i,j) as the above sets in the horizontal layer A0 shown inFIG. 5, generates the label data LABEL by the method explained by usingFIG. 10A, 10B and FIG. 11, and generates the key encryption key dataKEKm as the subset key thereof based on this label data LABEL.

Then, the key management device 3 generates the key designation data Imfor designating the label data LABEL used by the receiving apparatuses4_1 to 4_N of the elements of the above specified set for generating theabove specified (generated) key encryption key data KEKm.

Step ST35:

The key management device 3 decides to use the key data K_ORG (node key)corresponding to the nodes specified at step ST33 for communication withthe receiving apparatuses 4_1 to 4_N in the branches of the nodes.

Then, the key management device 3 generates the key designation data Imdesignating the key data K_ORG as the determined key encryption key dataKEKm.

[Receiving Apparatuses 4_1 to 4_N] The receiving apparatuses 4_1 to 4_Nare for example PDAs (personal digital assistants), mobile phones, orother ubiquitous terminal equipment.

FIG. 19 is a view of the hardware configuration of the receivingapparatuses 4_1 to 4_N shown in FIG. 1.

The receiving apparatuses 4_1 to 4_N have the same configuration exceptthe key data K_ORG and the label data LABEL stored in the memory 42.

As shown in FIG. 19, the receiving apparatuses 4_1 to 4_N have forexample communication units 41, memories 42, and processing units 43.

Here, the memories 42 correspond to the storing means of the fourthaspect of the invention, and the processing units 43 correspond to theprocessing means of the fourth aspect of the invention.

The communication units 41 receive the capsule data CAP transmitted bythe key management device 3 by the PUSH method by the wireless method.

The memories 42 store a program PRG2 executed by the processing units 43and various data used for the execution of the program PRG2.

The program PRG2 includes processing routines of the key acquisitionmethod SKT_A.

The memories 42 store the key data K_ORG and the label data LABELallocated to each of the receiving apparatuses 4_1 to 4_N by thepre-processing by the key management device 3.

Specifically, even when any other receiving apparatuses in sub trees towhich the receiving apparatuses in the horizontal layer A0 belong are tobe invalidated, the memory 42 stores the label data LABEL (the third keydata of the fourth aspect of the invention) for acquiring a plurality oflabel data LABEL (the first key data of the first to fourth aspects ofthe inventions) allocated to the plurality of sets defined so that thereare sets having as elements only receiving apparatuses not to beinvalidated in the sub trees.

Further, the memories 42 store a plurality of key data K_ORG (the secondkey data of the first to fourth aspects of the invention) allocated toall nodes located on the paths between the nodes at the terminal endscorresponding to the receiving apparatuses in the horizontal layer A1and the root.

Here, the order of the amount of the key data K_ORG and the label dataLABEL to be stored by the memory 42 becomes O(STA) shown in thefollowing formula (3).

(Formula 3)O(STA)=((HA[0])L5−HA[0]+log2N)  (3)

The processing units 43 execute the program PRG2 stored in the memories42 and centrally control the processings of the receiving apparatuses4_1 to 4_N in accordance with the execution thereof. In the presentembodiment, the processings of the receiving apparatuses 4_1 to 4_N aredefined by the program PRG2 executed by the processing unit 43.

The functions of the processing units 43 defined by the program PRG2 areconfigured so that even the receiving apparatuses 4_1 to 4_N cannot becontrolled by the users. Further, the users of the receiving apparatuses4_1 to 4_N use the receiving apparatuses 4_1 to 4_N with absolutely noawareness of these functions.

Below, an explanation will be given of an example of the operation ofthe receiving apparatuses 4_1 to 4_N.

FIG. 20 is a flow chart for explaining an example of the operation ofthe receiving apparatuses 4_1 to 4_N.

Note that the operations of the receiving apparatuses 4_1 to 4_N aredefined by the processing units 43 executing the program PRG2.

Step ST41:

The communication units 41 of the receiving apparatuses 4_1 to 4_Nreceive the capsule data CAP broadcast by the key management device 3 atstep ST27 shown in FIG. 16.

Step ST42:

The processing units 43 of the receiving apparatuses 4_1 to 4_N decidewhether or not their corresponding key designation data Im are includedin the capsule data CAP received at step ST41. When deciding that thedata Im are included, they proceed to the processing of step ST43, whilewhen the data Im are not included, they end the processing.

Step ST43:

The processing units 43 acquire their corresponding key designation dataIm in the capsule data CAP.

Then, the processing units 43 specify the key data K_ORG or the labeldata LABEL designated by the key designation data Im acquired at stepST42 from among the key data K_ORG and the label data LABEL stored bythe memory 42.

Step ST44:

The processing units 43 acquire (generate) the key encryption key dataKEKm based on the key data K_ORG or the label data LABEL specified atstep ST43.

The processing of step ST44 will be explained in detail later.

Step ST45:

The processing units 43 acquire new session key data NEW_SEK by decodingthe data EKEKm (NEW_SEK) in the capsule data CAP by using the keyencryption key data KEKm acquired (generated) at step ST44.

Step ST46:

The processing units 43 decodes the data ENEW_SEK (PAYL) in the capsuledata CAP by using new session key data NEW_SEK acquired at step ST45 toacquire the payload data PAYL.

The receiving apparatuses 4_1 to 4_N use the session key data NEW_SEKacquired at step ST45 in order to decode the data received from the keymanagement device 3 until the revocation processing is carried out next.

Below, an explanation will be given of the processing of step ST44 shownin FIG. 20.

FIG. 21 is a flow chart for explaining the processing of step ST44 shownin FIG. 20.

Step ST51:

The processing units 43 decide whether or not the key designation dataIm acquired at step ST43 shown in FIG. 20 designates the label dataLABELm. When deciding that the data Im designates the label data LABEL,they proceed to step ST52, while when not deciding so, they proceed tostep ST56.

Step ST52:

The processing units 43 decide whether or not the memories 42 store(hold) the label data LABEL required for generating the label dataLABELm designated by the key designation data Im. When they decide thatthe memories 42 store it, they proceed to step ST55, while when they donot decide so, they proceed to step ST53.

Step ST53:

The processing units 43 specify the label data LABEL corresponding totwo sets defining the sets corresponding to the label data LABELmdesignated by the key designation data Im as the sum set.

Step ST54:

The processing units 43 generate two label data LABEL specified at stepST53 based on the label data LABEL stored in the memories 42 accordingto need.

Then, the processing units 43 generate two subset keys SK by generatingpseudo random numbers based on the pseudo random number generator Gusing the two label data LABEL as the keys.

Then, the processing units 43 generate the key encryption key data KEKmbased on the two subset keys SK.

Step ST55:

The processing units 43 generate the label data LABELm designated by thekey designation data Im based on the label data LABEL stored in thememories 42 according to need.

Then, the processing units 43 generate pseudo random numbers based onthe pseudo random number generator G by using the label data LABELm asthe key to generate the subset key SK.

Then, the processing units 43 define the subset key SK as the keyencryption key data KEKm.

Step ST56:

The processing units 43 define the key data K_ORG designated by the keydestination data Im as the key encryption key data KEKm.

Below, an explanation will be given of an example of the overalloperation of the communication system 1.

First, the key management device 3 distributes the predetermined keydata K_ORG and label data LABEL to the receiving apparatuses 4_1 to 4_Nby the pre-processing explained above by using FIG. 15.

Then, when the predetermined receiving apparatuses 4_1 to 4_N are to berevoked, the key management device 3 distributes the capsule data CAP tothe receiving apparatuses 4_1 to 4_N not to be revoked by the techniqueexplained above by using FIG. 16 and FIG. 18.

Then, the receiving apparatuses 4_1 to 4_N perform the processingexplained by using FIG. 20 and FIG. 21, and the receiving apparatuses4_1 to 4_N not to be revoked obtain the decoded payload data PAYL basedon the new session key data NEW_SEK.

As explained above, in the communication system 1, the pre-processingexplained above by using FIG. 15 is used to set up and store the keydata K_ORG and the label data LABEL in the receiving apparatuses 4_1 to4_N.

In the communication system 1, the amount (O(STA) of formula (3)) of thekey data and the label data LABEL stored in the receiving apparatuses4_1 to 4_N is larger than the (O(log2N)) in the case of the CST method,but can be made smaller than (O((log2N)2), O((log2N)1+a), a>1) in thecase of the SD method and the LSD method. Namely, in the communicationsystem 1, by employing the CST method for the horizontal layer A1 by thekey acquisition method SKT_A, in comparison with the case where the SDmethod or the LSD method is employed for the entire tree, the amount ofthe key data and the label data stored by the receiving apparatuses 4_1to 4_N can be reduced.

Further, in the communication system 1, by employing the key acquisitionmethod SKT_A, the number of the key encryption key data KEKm used forcommunication with the receiving apparatuses 4_1 to 4_N accompanied withthe revocation processing, that is, the amount of communication (O(COA))of formula (2)) between the key management device 3 and the receivingapparatuses 4_1 to 4_N, can be made smaller than (O(Rlog2N/R)) in thecase of the CST method though larger than the case (O(R)) of the LSDmethod and the SD method. Namely, in the communication system 1, by theabove key acquisition method SKT-B, by employing the LSD method for thehorizontal layer A0, in comparison with the case where the CST method isemployed for the entire tree, the amount of communication between thekey management device 3 and the receiving apparatuses 4_1 to 4_Naccompanied with the revocation processing can be reduced.

Due to this, according to the communication system 1, the amount ofcommunication between the key management device 3 and the receivingapparatuses 4_1 to 4_N accompanied with the revocation processing andthe amount of the key data held by the receiving apparatuses 4_1 to 4_Ncan be defined by a suitable trade off.

Further, in the communication system 1, the receiving apparatuses 4_1 to4_N are configured so that the users cannot control the securityfunction such as the key management explained above, so can improve thesecurity function.

Further, the receiving apparatuses 4_1 to 4_N employ the SDR for thereception (download) from the key management device 3, so only thelegitimate receiving apparatuses 4_1 to 4_N having authorization canautomatically receive the data transmitted to the receiving apparatuses.Therefore, the security accompanied with the download can be improved.

Further, the users can use the receiving apparatuses 4_1 to 4_N withabsolutely no awareness of these security functions.

SECOND EMBODIMENT

The second embodiment is an embodiment of the fifth to eighth aspects ofthe inventions.

As shown in FIG. 1, a communication system 101 of the present embodimenthas for example a key management device 103 and a plurality of (N)receiving apparatuses 104_1 to 104_N.

Here, the key management device 103 corresponds to the key managementside of the present invention and the data processing apparatus of theseventh aspect of the invention, and the receiving apparatuses 104_1 to104_N correspond to the receiving apparatuses of the fifth to eighthaspects of the invention.

The transfer (communication) of the data is carried out between the keymanagement device 103 and the receiving apparatuses 104_1 to 104_N byfor example the wireless method.

The receiving apparatuses 104_1 to 104_N are registered in the keymanagement device 3 in advance and hold the key data K_ORG and the labeldata LABEL used for the secret communication (secure communication) withthe key management device 3.

The key management device 103 and the receiving apparatuses 104_1 to104_N are the same as the key management device 3 and the receivingapparatuses 4_1 to 4_N of the first embodiment except the keyacquisition method SKT-B shown below is employed in place of the keyacquisition method SKT_A.

The key management device 103 has for example, as shown in FIG. 2, acommunication unit 111, a memory 112, and a processing unit 113.

Further, the receiving apparatuses 104_1 to 104_N, for example as shownin FIG. 19, have communication units 141, memories 142, and processingunits 143.

Below, an explanation will be given of the key acquisition method SKT_Bin the present embodiment.

FIG. 22 is a view for explaining the key acquisition method SKT_B.

As shown in FIG. 22, in the key acquisition method SKT_B, the tree isdivided into three horizontal layers B0, B1, and B2.

Here, the horizontal layers B0, B1, and B2 correspond to the firstlayer, the third layer, and the second layer of the fifth to eighthaspects of the invention.

The height of the lowermost horizontal layer B0 is defined as HB[0], theheight of the horizontal layer B11 is defined as HB[1], and the heightof the horizontal layer B2 is defined as (log2N-HB[0]-HB[l]).

Then, as the revocation method of each section 31[0] belonging to thehorizontal layer B0, the LSD method disclosed in Non-patent Document 1is employed.

Further, as the revocation method of each section 31 μl] belonging tothe horizontal layer B1, the LSD method disclosed in the aboveNon-patent Document 1 is employed.

Further, as the revocation method of each section 31[2] belonging to thehorizontal layer B2, the CST method disclosed in the above Non-patentDocument 2 is employed.

Below, an explanation will be given of the processings of the keymanagement device 103 and the receiving apparatuses 104_1 to 104_Naccording to the key acquisition method SKT_B.

[Key Management Device 103]

The key management device 103 performs the processing shown in FIG. 23as the pre-processing corresponding to FIG. 15 of the first embodiment.

Step ST81:

The key management device 103 performs the following pre-processing atthe time of for example the registration of the receiving apparatuses104_1 to 104_N preceding the revocation processing.

The key management device 103 sets up the key acquisition method SKT_Band the key data K_ORG and the label data LABEL used in the keyacquisition method SKT_B in the receiving apparatuses 104_1 to 104_N.

Specifically, the key management device 103 sets up the label data LABEL(the second key data of the eighth aspect of the invention) foracquiring a plurality of label data LABEL (the first key data of theeighth aspect of the invention) allocated to a plurality of sets definedso that there are sets having as elements only receiving apparatuses notto be invalidated in the sub trees even in a case where any otherreceiving apparatuses in the sub trees to which the receivingapparatuses in the horizontal layer B0 shown in FIG. 22 belong areinvalidated for each of the receiving apparatuses 104_1 to 104_N.

Further, the key management device 103 sets up the label data LABEL (thefourth key data of the eighth aspect of the invention) for acquiring aplurality of label data LABEL (the third key data of the eighth aspectof the invention) allocated to a plurality of sets defined so that thereare sets having as elements only nodes at the terminal ends not havingany receiving apparatuses not to be invalidated at their branches sideeven in a case where any other receiving apparatuses at the branches ofany nodes of the nodes at the terminal ends in the horizontal layer B1shown in FIG. 22 are invalidated for each of the receiving apparatuses104_1 to 104_N.

Further, the key management device 103 sets up a plurality of key dataK_ORG (the fifth key data of the eighth aspect of the invention)allocated to all nodes located on the paths between the nodes on theterminal ends corresponding to the receiving apparatuses in thehorizontal layer B2 shown in FIG. 22 and the root for each of thereceiving apparatuses 104_1 to 104_N.

EXAMPLE OF OPERATION OF REVOCATION PROCESSING

The key management device 103 performs the revocation processing by themethod explained by using FIG. 16 in the first embodiment.

In this case, at step ST23 of FIG. 16, as shown below, the revocationprocessing is carried out based on the key acquisition method SKT_B togenerate the key destination data Im.

FIG. 24 is a flow chart for explaining the processing of step ST23 ofFIG. 16 performed by the key management device 103.

In FIG. 24, step ST91 corresponds to the first step of the fifth aspectof the invention, step ST92 corresponds to the second step of the fifthaspect of the invention, steps ST93 and ST94 correspond to the thirdstep of the fifth aspect of the invention, and steps ST95, ST96, andST97 correspond to the fourth step of the fifth aspect of the invention.

Further, the first means and the second means of the seventh aspect ofthe invention are realized by executing steps ST91 and ST92 by theprocessing unit 113.

Further, the third means of the seventh aspect of the invention isrealized by executing steps ST93 and ST94 by the processing unit 113.

Further, the fourth means of the seventh aspect of the invention isrealized by executing steps ST95, ST96, and ST97 by the processing unit113.

Step ST91:

The key management device 103 specifies the sets having as elements onlyreceiving apparatuses not to be invalidated in the sub trees from amongthe plurality of sets, defined in advance, having as elements receivingapparatuses belonging to the sub trees, for all sub trees includingreceiving apparatuses to be revoked among the sub trees (SUBT) belongingto the horizontal layer B0 shown in FIG. 22.

Step ST92:

The key management device 103 specifies the sets having as elements onlynodes including only receiving apparatuses not to be invalidated at thebranches among nodes at the terminal ends in the sub trees for sub trees(SUBT) belonging to the horizontal layer B1 shown in FIG. 22.

Step ST93:

The key management device 103 specifies the nodes not having anyreceiving apparatuses to be invalidated at the branches of the nodesamong the nodes at the terminal ends in the horizontal layer B2 shown inFIG. 22.

Step ST94:

The key management device 103 specifies the nodes not having anyreceiving apparatuses to be invalidated at the leaves branched from thenodes and nearest the root from among the nodes located on the pathsbetween the nodes and the root for all nodes specified at step ST93.

Step ST95:

The key management device 103 decides to use the key encryption key dataKEKm linked with the sets (or the label data LABEL thereof) specified atstep ST91 for communication with the receiving apparatuses of elementsof the sets.

The key management device 103 holds for example the sets of all subsetsin the horizontal layer B0 shown in FIG. 22 and the key encryption keydata KEKm linked together and specifies the key encryption key data KEKcorresponding to the sets specified at step ST91.

Further, it is also possible if the key management device 103 holds forexample the label data LABEL (i,j) corresponding to ones in which thenode i and the node j exist in the same LAYER or the node i is at thespecial level among the subsets S(i,j) as the above sets in thehorizontal layer B0 shown in FIG. 22, generates the label data LABEL bythe method explained by using FIG. 10A, 10B and FIG. 11 based on this,and generates the key encryption key data KEKm as the subset key thereofbased on this label data LABEL.

Then, the key management device 103 generates the key destination dataIm designating the label data LABEL used for generating the specified(generated) key encryption key data KEKm by the receiving apparatuses104_1 to 104_N of the elements of the specified sets.

Step ST96:

The key management device 103 decides to use the key encryption key dataKEKm linked with the sets (or the label data LABEL thereof) specified atstep ST92 for communication with the receiving apparatuses of elementsof the sets.

The method of determination (generation) of the key encryption key dataKEK is the same as that at step ST95.

Then, the key management device 103 generates the key destination dataIm for designating the label data LABEL used for generating thespecified (generated) key encryption key data KEKm by the receivingapparatuses 104_1 to 104_N of elements of the specified sets.

Step ST97:

The key management device 103 decides to use the key data K_ORG (nodekey) corresponding to the nodes specified at step ST94 for communicationwith the receiving apparatuses 104_1 to 104_N at the branches of thenodes of the key encryption key data KEKm.

Then, the key management device 103 generates the key destination dataIm for designating the key data K_ORG as the determined key encryptionkey data KEKm.

[Receiving Apparatuses 104_1 to 104_N]

The receiving apparatuses 104_1 to 104_N are PDAs, mobile phones, orother ubiquitous terminal equipment.

As shown in FIG. 19, the receiving apparatuses 104_1 to 104N have forexample communication units 141, memories 142, and processing units 143.

The receiving apparatuses 104_1 to 104_N have the same configurationsexcept the key data K_ORG and the label data LABEL stored in thememories 142.

Here, the memories 142 correspond to the storing means of the eighthaspect of the invention, and the processing units 143 correspond to theprocessing means of the eighth aspect of the invention.

The communication units 141 are the same as the communication units 41of the first aspect of the embodiment.

The memory 142 stores a program PRG102 executed by the processing units143 and various data used for the execution of the program PRG102.

The program PRG102 includes the processing routines of the keyacquisition method SKT_A mentioned above.

The memories 142 store the key data K_ORG and the label data LABELallocated to the receiving apparatuses 104_1 to 104_N by thepre-processing by the key management device 103.

Specifically, the memories 142 store the label data LABEL (the secondkey data of the eighth aspect of the invention) for acquiring aplurality of label data LABEL (the first key data of the fifth to eighthaspects of the invention) allocated to a plurality of sets defined sothat there are sets having as elements only receiving apparatuses not tobe invalidated in the sub trees even in a case when any other receivingapparatuses in the sub trees to which the receiving apparatuses in thehorizontal layer B0 belong are invalidated.

Further, the memories 142 store the label data LABEL (the fourth keydata of the eighth aspect of the invention) for acquiring a plurality oflabel data LABEL (the second key data of the fifth to seventh aspects ofthe invention and the third key data of the eighth aspect of theinvention) allocated to a plurality of sets defined so that there aresets having as elements only the nodes at the terminal ends includingonly receiving apparatuses not to be invalidated in the sub trees at thebranches even in a case where any sub trees in the horizontal layer B1include any receiving apparatuses to be invalidated at the branchesthereof.

Further, the memories 142 store a plurality of key data K_ORG (the thirdkey data of the first to third aspects of the invention and the fifthkey data of the eighth aspect of the invention) allocated to all nodeslocated on the paths between the nodes at the terminal endscorresponding to the receiving apparatuses in the horizontal layer B2and the root.

The processing units 143 execute the program PRG102 stored in thememories 142 and centrally control the processings of the receivingapparatuses 104_1 to 104_N in accordance with the execution thereof. Inthe present embodiment, the processings of the receiving apparatuses104_1 to 104_N are defined by the program PRG102 executed by theprocessing units 143.

Below, the processings of the receiving apparatuses 104_1 to 104_N arethe same as the processings explained above by using FIG. 20 and FIG. 21in the first embodiment.

Here, in the key acquisition method SKT_B, assume that the revocation ofR number of receiving apparatuses 104_1 to 104_N exerts an influenceupon ROB number of sections of the horizontal layer B1 configuring thetree and further exerts an influence upon R1B number of sections of thehorizontal layer B2.

In this case, the order of the amount of communication between the keymanagement device 103 accompanied with the revocation and the receivingapparatuses 104_1 to 104_N not to be revoked becomes O(COB) shown in thefollowing formula (4) in the case of the key acquisition method SKT_B.

(Formula 4)O(COB)=(R+R0B+R1B((log2N)−HB[1]−HB[0])−R1Blog2R1B)  (4)

Further, the order of the amount of the key data K_ORG and the labeldata LABEL stored by the memories 142 becomes O(STB) shown in thefollowing formula (5).

(Formula 5)O(STB)=((HB[0])1.5+(HB[1])1.5−HB[0]−HB[1]+log2N)  (5)

Due to this, the same effects as those by the communication system 1 ofthe first embodiment are obtained even by the communication system 101.

The present invention is not limited to the above embodiments.

In the above embodiments, the case where communication between the keymanagement devices 3 and 103 and the receiving apparatuses 4_1 to 4_Nand 104_1 to 104_N was carried out by the wireless method wasexemplified, but the communication can be carried out by a wired methodtoo.

Further, in the above embodiments, as the plurality of key acquisitionmethods of the present invention, two key acquisition methods SKT_A andSKT-B were exemplified, but the invention is not particularly limited tothe type of the key acquisition method. Further, the number of the keyacquisition methods is not particularly limited so far as it is plural.

For example, so far as the present invention employs the LSD or SDmethod for the first horizontal layer including the leaves to which aplurality of receiving apparatuses are allocated and employs the CSTmethod for the second horizontal layer including the root to which thekey management device is allocated, the horizontal layer may not existor a single number or a plurality of layers may exist between the firsthorizontal layer and the second horizontal layer, and any keyacquisition method may be applied to these horizontal layers.

According to the present invention, a data processing method definingthe amount of communication between the key management side and thereceiving apparatuses accompanied with the revocation processing and theamount of the key data held by the receiving apparatuses by a suitabletrade off, a program of the same, an apparatus of the same, and areceiving apparatus can be provided.

INDUSTRIAL APPLICABILITY

The present invention can be applied to a data processing system forsecure communication.

1. A data processing method performed by a key management side based ona tree defining a first layer to which a plurality of leaves linked witha plurality of receiving apparatuses belong and a second layer to whicha root linked with the key management side belongs, comprising: a firststep of specifying sets having as elements only receiving apparatusesnot to be invalidated in the sub trees from among a plurality of setsdefined in advance for sub trees including-receiving apparatuses to beinvalidated among sub trees belonging to the first layer; a second stepof specifying nodes not having any receiving apparatuses to beinvalidated at branches of the nodes among nodes at terminal ends in thesecond layer; a third step of specifying the nodes not having anyreceiving apparatuses to be invalidated at the leaves branched from thenode and nearest the root from among nodes located on the paths betweenthe nodes specified at the second step and the root; and a fourth stepof communicating with receiving apparatuses not to be invalidated basedon the second key data allocated to the nodes specified at the thirdstep.
 2. A data processing method as set forth in claim 1, wherein inthe fourth step the key management side communicates on the basis of thefirst key data with the receiving apparatuses which are elements of thesets specified by the first step and communicates on the basis of thesecond key data with the receiving apparatuses not to be invalidatedlinked with the leaves branched from the nodes specified by the thirdstep.
 3. A data processing method as set forth in claim 1, furthercomprising: a step of transmitting a key specification data specifyingthe first key data to the receiving apparatuses which is the elements ofthe sets specified by the first step; and a step of transmitting a keyspecification data specifying the second key data to the receivingapparatuses not to be invalidated linked with the leaves branched fromthe nodes specified by the third step.
 4. A data processing method asset forth in claim 1, further comprising: a fifth step of setting to theplurality of receiving apparatuses before the first step, a third keydata for generating a plurality of the first key data respectivelyallocated to a plurality of sets defined so that a set having only thereceiving apparatuses not to be invalided in the sub trees exists aselements even when any other receiving apparatuses in the sub trees towhich the receiving apparatuses in the first layer belong are to beinvalidated and a plurality of the second key data respectivelyallocated to all of the nodes positioned on the path between the node ofthe terminal end linked with the receiving apparatuses of the secondlayer and the root.
 5. A program for making a computer on the keymanagement side execute key management processing based on a treedefining a first layer to which a plurality of leaves linked with aplurality of receiving apparatuses belong and a second layer to which aroot linked with the key management side belongs, comprising: a firstroutine of specifying sets having as elements only receiving apparatusesnot to be invalidated in the sub trees from among a plurality of setsdefined in advance for sub trees including receiving apparatuses to beinvalidated among sub trees belonging to the first layer; a secondroutine of specifying nodes not having any receiving apparatuses to beinvalidated at branches of the nodes among nodes at terminal ends in thesecond layer; a third routine of specifying the nodes not having anyreceiving apparatuses to be invalidated at the leaves branched from thenode and nearest the root from among nodes located on the paths betweenthe nodes specified at the second routine and the root; and a fourthroutine of communicating with receiving apparatuses not to beinvalidated based on the second key data allocated to the nodesspecified at the third routine.
 6. A data processing apparatus for keymanagement based on a tree defining a first layer to which a pluralityof leaves linked with a plurality of receiving apparatuses belong and asecond layer to which a root linked with the key management sidebelongs, comprising a first means for specifying sets having as elementsonly receiving apparatuses not to be invalidated in the sub trees fromamong a plurality of sets defined in advance for sub trees includingreceiving apparatuses to be invalidated among sub trees belonging to thefirst layer; a second means for specifying nodes not having anyreceiving apparatuses to be invalidated at branches of the nodes amongnodes at terminal ends in the second layer; a third means for specifyingthe nodes not having any receiving apparatuses to be invalidated at theleaves branched from the node and nearest the root from among nodeslocated on the paths between the nodes specified by the second means andthe root; and a fourth means for communicating with receivingapparatuses not to be invalidated based on the second key data allocatedto the nodes specified by the third means.
 7. A receiving apparatus forcommunicating with a key management side based on a tree defining afirst layer to which a plurality of leaves linked with a plurality ofreceiving apparatuses belong and a second layer to which a root linkedwith the key management side belongs, comprising a storing means forstoring third key data for generating a plurality of first key dataallocated to a plurality of sets defined so that there are sets havingas elements only receiving apparatuses not to be invalidated in the subtrees even in a case where any other receiving apparatuses in sub treesto which the receiving apparatuses in the first layer belong areinvalidated and plurality of second key data allocated to all of thenodes located on the paths between the nodes on the terminal endscorresponding to those receiving apparatuses in the second layer and theroot and a processing means for generating the first key data based onthe third key data read out from the storing means when the keydesignation data received from the key management side designates thethird key data, communicating with the key management side by using thefirst key data, and communicating with the key management side by usingthe second key data read from the storing means when the key designationdata designates the second key data.
 8. A data processing method of afifth aspect of the invention is a data processing method performed by akey management side based on a tree defining a first layer to which aplurality of leaves linked with a plurality of receiving apparatusesbelong and a second layer to which a root linked with the key managementside belongs, comprising a first step of specifying sets having aselements only receiving apparatuses not to be invalidated in the subtrees from among a plurality of sets defined in advance for sub treesincluding receiving apparatuses to be invalidated among sub treesbelonging to the first layer; a second step of specifying sets having aselements only nodes including only receiving apparatuses not to beinvalidated at the branches among nodes on the terminal ends in the subtrees from among a plurality of sets defined in advance for the subtrees including receiving apparatuses to be invalidated at the branchesamong the sub trees belonging to the third layer; a third step ofspecifying the nodes not having any receiving apparatuses to beinvalidated at the branches from the nodes and nearest the root fromamong nodes located on the paths between the nodes not having receivingapparatuses to be invalidated at the branches of the nodes and the rootamong the nodes of the second layer; and a fourth step of communicatingwith the receiving apparatuses not to be invalidated based on the firstkey data allocated to the sets specified at the first step, the secondkey data allocated to the sets specified at the second step, and thethird key data allocated to the nodes specified at the third step.
 9. Aprogram for making a computer on the key management side execute keymanagement processing based on a tree defining a first layer to which aplurality of leaves linked with a plurality of receiving apparatusesbelong, a second layer to which a root linked with the key managementside belongs, and a third layer interposed between the first layer andthe second layer, comprising a first routine of specifying sets havingas elements only receiving apparatuses not to be invalidated in the subtrees from among a plurality of sets defined in advance for sub treesincluding receiving apparatuses to be invalidated among sub treesbelonging to the first layer; a second routine of specifying sets havingas elements only nodes including only receiving apparatuses not to beinvalidated at the branches among nodes on the terminal ends in the subtrees from among a plurality of sets defined in advance for the subtrees including receiving apparatuses to be invalidated at the branchesamong the sub trees belonging to the third layer; a third routine ofspecifying the nodes not having any receiving apparatuses to beinvalidated at the branches from the nodes and nearest the root fromamong nodes located on the paths between the nodes not having receivingapparatuses to be invalidated at the branches of the nodes and the rootamong the nodes of the second layer; and a fourth routine ofcommunicating with the receiving apparatuses not to be invalidated basedon the first key data allocated to the sets specified at the firstroutine, the second key data allocated to the sets specified at thesecond routine, and the third key data allocated to the nodes specifiedat the third routine.
 10. A data processing apparatus for key managementbased on a tree defining a first layer to which a plurality of leaveslinked with a plurality of receiving apparatuses belong, a second layerto which a root linked with the key management side belongs, and a thirdlayer interposed between the first layer and the second layer,comprising: a first means for specifying sets having as elements onlyreceiving apparatuses not to be invalidated in the sub trees from amonga plurality of sets defined in advance for sub trees including receivingapparatuses to be invalidated among sub trees belonging to the firstlayer; a second means for specifying sets having as elements only nodesincluding only receiving apparatuses not to be invalidated at thebranches among nodes on the terminal ends in the sub trees from among aplurality of sets defined in advance for the sub trees includingreceiving apparatuses to be invalidated at the branches among the subtrees belonging to the third layer; a third means for specifying thenodes not having any receiving apparatuses to be invalidated at thebranches from the nodes and nearest the root from among nodes located onthe paths between the nodes not having receiving apparatuses to beinvalidated at the branches of the nodes and the root among the nodes ofthe second layer; and a fourth routine of communicating with thereceiving apparatuses not to be invalidated based on the first key dataallocated to the sets specified by the first means, the second key dataallocated to the sets specified by the second means, and the third keydata allocated to the nodes specified by the third means.
 11. Areceiving apparatus for communicating with a key management side basedon a tree defining a first layer to which a plurality of leaves linkedwith a plurality of receiving apparatuses belong, a second layer towhich a root linked with the key management side belongs, and a thirdlayer interposed between the first layer and the second layer,comprising a storing means for storing second key data for generating aplurality of first key data allocated to a plurality of sets defined sothat there are sets comprised of only receiving apparatuses not to beinvalidated in the sub trees even in a case where any other receivingapparatuses in sub trees to which receiving apparatuses in the firstlayer belong are invalidated, fourth key data for generating a pluralityof third key data allocated to a plurality of sets defined so that thereare sets having as elements only nodes at the terminal ends not havingreceiving apparatuses to be invalidated at the branches thereof even ina case where other receiving apparatuses at the branches of any nodesamong nodes at the terminal ends of the third layer are invalidated, anda plurality of fifth key data allocated to all of the nodes located onthe paths between the nodes at the terminal ends corresponding to thereceiving apparatuses at the second layer and the root and a processingmeans for generating the first key data based on the second key dataread from the storing means when the key designation data received fromthe key management side designates the second key data, generating thethird key data based on the fourth key data read from the storing meanswhen the key designation data designates the fourth key data,communicating with the key management side by using the third key data,and communicating with the key management side by using the fifth keydata read from the storing means when the key designation datadesignates the fifth key data.